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Abstract 

Blakley,  Blakley,  Chan  and  Massey  conjectured  a  lower  bound  on  the  entropy  of  broadcast 
messages  in  threshold  schemes  with  disenrollment.  In  an  effort  to  examine  the  conjecture, 
we  identify  their  original  scheme  definition  has  a  limitation:  a  coalition  of  participants  can 
reconstruct  all  shared  secrets  without  broadcast  from  the  dealer,  and  hence  render  the  dealer 
no  control  over  disenrollment.  We  introduce  a  constraint  that  delays  this  lack  of  control  of 
the  dealer  over  disenrollment.  We  also  establish  the  lower  bounds  on  the  entropy  of  broadcast 
messages  in  such  a  model.  We  demonstrate  the  need  for  new  models  by  presenting  a  construction 
under  open  problems. 
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1  Introduction 

A  ( t ,  n)  threshold  scheme  is  a  technique  to  split  a  secret  among  a  group  of  n  participants  in  such 
a  way  that  any  subset  of  t  or  more  participants  can  reconstruct  the  shared  secret  by  pooling  the 
information  they  have,  while  any  subset  of  participants  of  cardinality  less  than  t  is  unable  to  recover 
the  secret  [2],  [14].  The  information  held  by  a  participant  is  called  a  share,  which  is  distributed 
securely  by  a  trusted  third  party,  called  dealer,  to  the  participant  on  initialization.  Threshold 
schemes  find  important  applications  in  cryptography  and  security,  such  as  secure  distributed  storage 
of  a  master  key,  secure  file  sharing,  and  threshold  signature  [15]. 

Threshold  schemes  were  first  introduced  by  Shamir  [14]  and  Blakley  [2]  and  were  generalized 
to  secret  sharing  schemes,  which  allow  reconstruction  of  a  shared  secret  among  a  more  general 
combination  of  subsets  of  participants.  An  excellent  survey  on  secret  sharing  can  be  found  in  [15], 
and  a  bibliography  is  provided  online  in  [16]. 

There  are  scenarios  in  which  the  share  of  a  participant  is  stolen  or  is  disclosed  deliberately  by 
the  malicious  participant.  Then,  for  security  reasons,  the  share  has  to  be  assumed  to  have  become 
public  knowledge,  and  the  effective  threshold  among  the  group  is  reduced  by  1,  because  any  t  —  1 
shares  from  the  group  plus  the  disclosed  share  suffice  to  reconstruct  the  secret.  It  is  preferable  that 
the  same  level  of  security,  i.e.,  the  same  threshold  size  t,  be  preserved  even  if  shares  are  disclosed. 
This  may  not  present  a  problem  if  secure  channel  is  available  all  the  time,  since  the  dealer  can 
choose  a  new  shared  secret,  construct  a  (t,n  —  1)  threshold  scheme,  and  deliver  new  shares  securely 
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to  the  remaining  participants.  However,  an  expensive  secure  channel  is  normally  set  up  only  to 
distribute  initial  shares  and  is  no  longer  available  after  initialization.  An  alternative  is  to  use 
public  broadcast  by  the  dealer.  The  problem  of  maintaining  the  threshold  via  only  broadcast  in 
case  of  share  disclosure  or  loss  was  considered  by  Blakley,  Blakley,  Chan  and  Massey  in  [3] ,  and  the 
solutions  were  called  threshold  schemes  with  disenrollment  capability.  Blakley  et  al.  formally  defined 
threshold  schemes  with  L-fold  disenrollment  capability  as  the  schemes  that  have  the  capability  of 
disenrolling  L  participants  successively,  one  at  a  time,  without  reducing  the  threshold.  In  the 
model  of  a  threshold  scheme  with  disenrollment  capability  [3] ,  it  is  assumed  that  no  secure  channel 
is  available  after  initialization  between  the  dealer  and  each  participant  or  between  participants, 
and  a  new  secret  is  chosen  to  be  shared  among  the  group  after  each  disenrollment.  The  scheme 
is  different  from  a  proactive  secret  sharing  scheme  [9],  in  which  a  long-term  secret  is  protected 
against  gradual  break  in  by  refreshing  the  share  of  each  participant  periodically  using  public  key 
cryptosystems. 

Share  size  and  broadcast  size  are  used  to  characterize  a  threshold  scheme  with  disenrollment. 
While  small  share  size  may  lead  to  low  storage  requirement,  it  reduces  the  search  space  of  an 
adversary.  Broadcast  size  indicates  communication  cost,  and  a  broadcast  message  of  smaller  size 
is  less  likely  to  be  corrupted  during  transmission  when  compared  with  a  longer  message.  In  [3], 
Blakley  et  al.  established  a  lower  bound  on  the  size  of  shares  in  a  threshold  scheme  with  L-fold 
disenrollment  capability  and  conjectured  a  lower  bound  on  the  size  of  public  broadcast.  Barwick 
et  al.  confirmed  a  revised  version  of  the  lower  bound  on  the  broadcast  size  in  [1]. 

Our  Contribution:  We  show  that  the  model  of  a  threshold  scheme  with  disenrollment  ca¬ 
pability  originally  defined  in  [3]  and  also  used  in  [1]  can  lead  to  the  disenrollment  not  under  the 
control  of  the  dealer.  We  illustrate  this  point  by  studying  a  scheme  in  which  a  coalition  of  t  +  i 
participants  can  recover  the  shared  secret  K$,  ...,  Kt  before  the  ith  disenrollment,  without  requiring 
any  broadcast  from  the  dealer.  In  order  to  resolve  the  problem,  we  propose  a  broadcast  enforced 
model  of  threshold  schemes  with  disenrollment  by  adding  one  condition  to  the  original  scheme  def¬ 
inition  to  ensure  public  broadcast  from  the  dealer  is  necessary  in  the  reconstruction  of  the  current 
shared  secret.  Although  Barwick  et  al.  [1]  stated  that  they  do  not  constrain  t  +  i  participants  from 
constructing  the  shared  secret  Kj  in  advance,  they  also  noted  that  if  it  is  a  potential  problem,  then 
a  stronger  model  is  necessary.  Our  broadcast  enforced  model  can  be  viewed  as  the  first  step  in  seek 
of  such  a  stronger  model,  and  our  model  prevents  the  collusion  of  any  number  of  participants  from 
recovering  new  shared  secrets  without  a  broadcast  message  from  the  dealer.  We  establish  lower 
bounds  on  broadcast  messages  in  the  new  model.  We  also  note  that  inherent  limitation  of  the 
original  disenrollment  model  by  showing  that  even  with  our  condition,  the  dealer  can  only  delay 
the  lack  of  control  under  user  collusion.  We  discuss  this  problem  in  Section  5  and  present  examples 
showing  the  need  for  new  directions. 

Other  related  work  on  threshold  schemes  with  disenrollment  includes  [4],  [6],  [8],  [11],  [12], 
[17].  In  [11],  disenrollment  of  untrustworthy  participants  was  discussed  for  general  secret  sharing 
schemes,  but  no  analytical  study  on  the  bounds  of  share  size  or  broadcast  size  was  provided.  Blundo 
et  al.  [4]  addressed  a  more  general  problem  of  enabling  participants  of  different  sets  to  reconstruct 
different  secrets  at  different  time  via  insecure  public  channel,  and  established  lower  bounds  on  share 
size.  However,  they  did  not  investigate  the  lower  bound  on  the  broadcast  size  for  a  threshold  scheme 
with  disenrollment.  Charnes  et  al.  [6]  presented  a  computationally  secure  threshold  scheme  with 
disenrollment  using  the  hardness  of  discrete  logarithm.  In  [8] ,  secure  channels  between  participants 
were  employed  to  refresh  valid  participants  with  new  shares  in  order  to  recover  new  secrets.  A 
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scheme  was  proposed  to  realize  disenrollment  without  changing  shares  in  [17],  but  was  later  shown 
to  be  flawed  in  [12]. 

This  paper  is  organized  as  follows.  In  Section  2,  we  review  the  definition  of  threshold  schemes 
with  disenrollment  capability  [3]  and  previous  results  on  the  lower  bounds  of  share  size  [3]  and 
broadcast  size  [1].  In  Section  3,  we  show  by  one  example  that  the  original  definition  of  threshold 
scheme  with  disenrollment  potentially  can  render  the  dealer  no  control  over  disenrollment  process. 
To  fix  the  problem,  we  propose  to  add  one  broadcast  enforcement  term  to  the  definition.  In 
Section  4,  we  derive  lower  bounds  on  the  size  of  broadcast  messages  in  the  model  with  the  new 
property  added.  We  finally  conclude  the  paper  with  our  contributions  and  one  open  problem  in 
Section  5. 

2  Preliminaries 

In  this  section,  we  review  the  definitions  of  a  threshold  scheme  and  a  threshold  scheme  with  disen¬ 
rollment  in  an  information-theoretic  approach,  and  summarize  the  results  of  previous  study  on  the 
bounds  of  share  size  and  broadcast  size.  For  clarity  of  presentation,  we  list  the  notations  used  in 
this  paper  in  Table  1. 


_ Table  1:  Notation _ 

H(- )  Shannon  Entropy  [7] 

/(•)  Mutual  Information  [7] 

t  threshold 

n  total  number  of  participants 

L  maximum  allowable  number  of  disenrollments 

N  set  of  all  the  indices  of  n  participants,  i.e. ,  N  =  {1,  ...,n} 

i  index  for  update  stages 

j  index  for  participants 

Sj  share  held  by  participant  j 

Ki  secret  to  be  shared  at  stage  i 

Pi  broadcast  message  at  stage  i 

di  index  of  the  disenrolled  participant  at  stage  i 

Di  set  of  indices  of  all  disenrolled  participants  up  to  stage  i,  i.e.,  Di  =  {d\,  ...,di} 
vi  index  of  valid  participants  with  a  dummy  counting  index  l 

subshare  of  participant  j  corresponding  to  the  shared  secret  K{ 

R  random  string  used  to  hide  a  shared  secret  or  a  share 

Xa:b  Set  ^a+1 ,  ■  ■  ■  A/,  ]  foi  &  ^  b 


2.1  Threshold  Schemes 

A  (t,  n)  threshold  scheme  is  a  protocol  to  divide  a  secret  into  n  shares  so  that  the  knowledge  of  at 
least  t  shares  allow  full  reconstruction  of  the  secret  [2],  [14].  Let  K  be  the  shared  secret  that  is  a 
random  variable  that  takes  values  from  space  /C,  and  S'  be  a  share  that  is  a  random  variable  that 
takes  values  from  space  S.  Let  Sj  be  the  share  held  by  participant  j,  for  j  e  N  =  {1,  ..,n}  . 


3 


Definition  1  A  (t,n)  threshold  scheme  is  a  sharing  of  a  secret  K  among  n  participants  so  that 

1.  The  secret  K  is  recoverable  from  at  least  t  shares.  That  is,  for  any  set  of  k  (t  <  k  <  n) 
indices  {Zi,  h,  —,lk}  C  {1, n}, 

H(K\Sh:lk)  =  0  for  t  <  k  <  n  (1) 

2.  The  secret  K  remains  uncertain  with  the  knowledge  of  (t  —  1)  or  less  shares.  That  is, 

H(K\Sh:lk )>  0  for  k<t.  (2) 


A  ( t ,  n)  threshold  scheme  is  called  perfect  in  an  information  theoretic  sense  if  (t  —  1)  or  fewer  shares 
reveal  absolutely  no  information  on  the  secret  K .  That  is, 

H(K\Sh:lk)  =  H(K)  for  k  <  t.  (3) 

It  has  been  shown  in  [13]  that  a  necessary  condition  to  have  a  perfect  threshold  scheme  is 

H(Sj)  >  H(K)  for  j  =  1, n.  (4) 

A  perfect  threshold  scheme  is  called  ideal  if  share  size  achieves  the  lower  bound  in  (4),  i.e.,  H(Sj )  = 
H(K )  for  all  j. 

2.2  Threshold  Schemes  with  Disenrollment 

A  threshold  scheme  with  L-fold  disenrollment  capability  deals  with  the  problem  of  maintaining  a 
threshold  via  insecure  broadcast  channel  when  disenrolling  an  untrustworthy  participant  at  each 
of  L  successive  updates  [3].  Let  i  =  1, L  be  the  indices  of  update  stages.  At  the  ith  update,  let 
K,  denote  the  shared  secret,  Pi  denote  the  broadcast  message,  di  G  N\D^\  be  the  index  of  the 
disenrolled  participant  at  the  ith  update,  and  vi  G  N\D{  for  l  =  1,  ...,n  —  i  be  an  index  of  one  of 
the  remaining  valid  participants. 

Definition  2  A  (t,  n)  threshold  scheme  with  L-fold  disenrollment  capability  with  n  —  L  >  t  is  a 
collection  of  shares  Sj  for  j  =  l,...,n;  shared  secrets  Ki  for  i  =  0,  ...,L;  and  public  broadcast 
messages  Pi  for  i  =  1, ...,  L,  that  satisfies  the  following  conditions: 

1.  Initially  (i.e.,  at  stage  i  =  0 ),  the  scheme  is  a  ( t,n )  threshold  scheme  that  shares  the  secret 
Kq  among  n  participants. 

2.  At  stage  i  for  i  =  1, ...,  L,  one  additional  share  Sdi  is  disenrolled,  any  set  of  k  (t  <  k  <  n  —  i) 
valid  shares  Svl,...,SVk  plus  the  broadcast  messages  P\,...,Pi  can  reconstruct  the  new  secret 
Ki,  i.e., 

H(Ki\Svi:Vk,P1:i)  =  0  for  t  <  k  <  n  -  i.  (5) 

3.  At  stage  i  for  i  =  1  given  broadcast  information  Pi,...,  Pi  and  all  disenrolled  shares 

Sdj , ...,  S^,  the  shared  secret  K,  is  not  solvable  if  the  number  of  valid  shares  is  less  than  t. 
That  is, 

H(Ki\SVi:Vk,Sdi:di,Pi:i)  >  0  for  k  <  t.  (6) 
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A  (t,  n)  threshold  scheme  with  L-fold  disenrollment  capability  is  called  perfect  if 

H(Ki\Svi;Vk,Sdi:di,P1:i)  =  H(Ki)  for  k  <  t.  (7) 

From  Definition  2,  it  follows  that  a  threshold  scheme  with  disenrollment  capability  at  stage  i 
is  equivalent  to  a  (t,  n  —  i )  threshold  scheme  sharing  K,  among  n  —  i  valid  participants.  In  order 

to  be  able  to  collectively  reconstruct  A;,  each  participant  must  have  a  component  in  his  share 

(i) 

corresponding  to  Ki.  Note  that  Sj  is  a  collection  of  components  to  reconstruct  Kq,  ...,  Kl.  Let  Sj  ' 

(i) 

denote  the  component  in  Sj  corresponding  to  Ki ,  and  we  call  S  -  a  subshare  of  participant  j.  The 
subshare  satisfies 

H(Ki\S$:Vk,P1:i)  =  0  for  t  <  k  <  n  —  i.  (8) 

The  necessary  condition  (4)  can  be  extended  to  subshares  as 

H(sf)>H(Ki)  for  j  =  1, n  i  =  0,...,L  (9) 

The  share  by  participant  j,  Sj,  is  the  union  of  all  its  subshares  over  L  disenrollment  stages,  i.e.,  Sj  = 
{Sj°\Sj1\...,SjL^}.  Since  the  shared  secrets  Kf  s  at  different  stage  i  =  0,  ...,L  are  independent, 
the  subshares  of  one  participant  that  are  used  to  recover  different  secrets  are  independent  in  a  share 
size  efficient  scheme. 

2.3  Previous  Results  on  Bounds  of  Share  Size  and  Broadcast  Size 

For  a  threshold  scheme  with  disenrollment  capability  defined  in  Definition  2,  Blakley  et  al.  [3] 
established  a  lower  bound  on  the  entropy  of  each  share,  as  stated  in  Theorem  1. 

Theorem  1  Let  S\:n,  P\,l,  Kq:l  form  a  ( t,n )  perfect  threshold  scheme  with  L-fold  disenrollment 
capability  and  H(Ki)  =  m  for  i  =  0, 1, ...,  L.  Then, 

H{Sj)  >  (L  +  l)m  for  j  =  l,2,...,n.  (10) 

The  proof  of  Theorem  1  provided  by  Blakley  et  al.  is  built  on  their  Lemma  5  in  [3].  We  find 
that  the  original  proof  of  the  Lemma  5  on  page  543  of  [3]  fails  in  the  last  line.  A  correct  proof  of 
their  Lemma  5  is  presented  in  Appendix. 

A  perfect  threshold  scheme  with  disenrollment  in  which  each  share  achieves  its  lower  bound  is 
called  share  minimal  [1],  i.e., 

H(Sj)  =  (L  +  l)m,  for  j  =  l,...,n  (11) 

where  H(Ki)  =  m  for  i  =  0,  ...,L. 

Blakley  et  al.  [3]  also  proposed  a  conjecture  on  the  lower  bound  of  the  entropy  of  broadcast.  A 
modified  version  of  the  conjecture  was  proven  by  Barwick  et  al.  in  [1] .  Theorem  2  summarizes  the 
result  of  Barwick  et  al.  on  the  entropy  of  broadcast. 

Theorem  2  Let  Si:n,  Pi-.l,  Kq-l  form  a  ( t,n )  share  minimal  perfect  threshold  scheme  with  L-fold 
disenrollment  capability  satisfying  properties  (5),  (7),  and  (11),  then 

i  i 

>  min(z, n  —  i  —  t  +  l)m  for  i  =  l,...,L.  (12) 

i=i  i=i 
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2.4  Useful  Lemmas 

In  this  section,  we  present  some  lemmas  that  will  be  useful  in  proving  our  theorems. 
Lemma  1  Let  X ,  Y,  Z  and  W  be  random  variables.  Given 


H{X\Y,W) 

=  o, 

(13) 

H(X\Z,  W) 

=  H(X), 

(14) 

H(X) 

=  H{Y) 

(15) 

leads  to 


I(Y\Z)  =  0.  (16) 

Proof: 

H(Y\Z)  >  H(Y\Z,  W)  >  I(Y;X\Z,W)  =  H{X\Z,W)  -  H(Y\Z,W,Y )  =  H(X) 

Equation  (a)  holds  because  of  (13)  and  (14). 

I(Y-  Z)  =  H(Y )  -  H(Y\Z)  <  H(Y)  -  H(X)  =  0. 

Equation  (b)  holds  because  of  (15).  Furthermore,  I(Y;  Z)  >  0  due  to  non-negativity  of  the  mutual 
information  of  two  random  variables  [7],  it  follows  I(Y;  Z)  =  0.  ■ 

Lemma  2  Let  X,  Y  and  Z  be  random  variables.  Given 

H(X\Y,Z)  =  0,  (17) 

H(X\Z)  =  H(Y\Z)  (18) 

leads  to 

H(Y\X,Z)  =  0.  (19) 

Proof: 


H(Y\X,  Z)  =  H(X,Y,Z)  -  H{X,Z) 

=  H(X,Y,Z)-(H(Z)  +  H(X\Z)) 
=  H(X,YZ)-(H(Z)  +  H(Y\Z)) 
=  H(X,Y,Z)-H(Y,Z) 

=  H{X\Y ,  Z)  =  0 
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3  Broadcast  Enforced  Threshold  Scheme  with  Disenrollment 


In  this  section,  we  will  show  Definition  2  in  Section  2.2  is  not  adequate  when  centralized  control 
from  the  dealer  is  required,  by  examining  a  scheme  that  satisfies  Definition  2  (originally  appeared 
in  [3]  as  Definition  2)  but  leaves  the  dealer  no  control  over  disenrollment  process. 

Let  us  consider  the  following  scheme. 

•  Participant  j  holds  the  share  Sj  =  {Sj°\  Sj * ,  •••,  5'^}  after  initialization,  where  sub¬ 
share  sj^  corresponds  to  a  share  of  a  (t  +  i,n)  ideal  perfect  threshold  scheme  sharing 
the  secret  Kj . 

•  At  stage  i,  the  dealer  broadcasts  Pi  =  S(it 

If  t  +  i  participants  collaborate  by  exchanging  their  shares,  then  they  can  decipher  Ko,  ...,Ki 
in  advance  and  the  disenrollment  of  an  invalidated  participant  involving  the  update  of  LQ_i  to  Kj 
at  stage  i  is  not  under  the  control  of  the  dealer.  Therefore,  for  the  dealer  to  have  control  at  each 
disenrollment,  we  should  seek  a  model  in  which  broadcast  Pi  is  necessary  in  reconstructing  the 
secret  Ki,  and  each  disenrollment  is  not  possible  without  a  broadcast  message  from  the  dealer. 

The  scheme  presented  above  satisfies  Definition  2  but  requires  no  broadcast  from  the  dealer  if 
t  +  i  participants  collude.  In  order  for  the  dealer  have  control  over  each  disenrollment,  we  suggest 
adding  the  following  broadcast  enforcement  term: 

I(Ki-Sl:n,Pi:i-i)  =  0  for  i  =  l,...,L.  (20) 

Condition  (20)  states  that  the  mutual  information  of  I\i  and  all  shares  Sj  for  j  =  1  ...n  and 
all  previous  broadcast  message  Pi, ...,  Pi-\  is  zero.  By  jointly  considering  (5)  and  (20),  we  note 
that  (20)  expresses  the  importance  of  broadcast  message  P*  at  stage  i:  without  the  message,  no 
information  on  the  new  shared  secret  Ki  can  be  obtained  even  if  all  shares  Sj  and  all  previous 
broadcast  messages  Pi,...,P,_i  are  known.  Futhermore,  by  enforcing  a  broadcast  message  from 
the  dealer,  it  allows  the  dealer  the  freedom  to  choose  a  secret  to  be  shared  when  disenrolling 
untrustworthy  participants;  while  in  the  scheme  presented,  all  the  shared  secrets  are  predetermined 
before  distributing  shares  to  participants. 

In  [1],  Barwick  et  al.  used  the  same  model  defined  in  (5)  and  (7)  when  deriving  a  lower  bound 
on  the  entropy  of  broadcast.  However,  one  of  their  lemmas,  Lemma  2,  implies  the  necessity  of 
broadcast  in  recovering  the  shared  secret.  From  now  on,  we  use  capitalized  LEMMA  to  refer  to 
the  lemmas  cited  from  [1]  and  [3],  and  Lemma  or  Lemma  for  our  lemmas. 

LEMMA  2  in  [1]  In  a  (1,  n)  threshold  scheme  with  P-fold  disenrollment  capability,  let  Zi , ...,  Il 
be  distinct  elements  of  N  =  {1, ...,  n}, 

H(Ki\Sli:li,Ko:i-1)  =  H(Ki)  for  i  =  l,...,L.  (21) 

They  claim  that  (21)  holds  regardless  of  S/i:^  being  valid  or  not.  We  will  show  in  the  following 
lemma  for  (21)  to  hold  when  at  least  one  of  is  valid,  an  additional  condition  that  suggests  the 
importance  of  broadcast  message  needs  to  be  satisfied. 

Lemma  3  For  (21)  to  hold  for  the  case  in  which  at  least  one  of  the  shares  {Sq, ...,  S^}  is  valid  at 
stage  i,  a  necessary  and  sufficient  condition  is 

I(Ki ;  Pl:i\Si1:ii,Ko:i-1)  =  H(I<i).  (22) 
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Proof: 

Necessity:  Since  at  least  one  of  the  shares  Sii:k  is  valid,  for  a  (l,n)  threshold  scheme,  we  have 
H(Ki\Sii:ii,Pi:i)  =  0  from  (5),  and  thus  Pi:i,  K0:i-i)  =  0. 

H(IU)  = 

=  HilulSi^Ko-.i-!)  -  H(Ki\Sli:li,P1:i,  Ko-.i-i) 

=  I(Ki;P1:i\Sh:li,K0:i_^  (23) 

Sufficiency: 

H(Ki)  =  I(Ki-,P1:i\Sli;li,Ko:i-1) 

=  HiKilS^Ko-.i-i)  -  H(Ki\Sli:li,P1:i,  Ko-.i-i) 

<  H(Ki\Sh:li,Ko:i-1) 

Since  H{Ki)  >  H(Ki\Sli:ii,K0:i_i),  we  obtain  that  H^Kf)  =  H(Ki\Sh:iv  Ko-.i-i)-  ■ 

Condition  (22)  emphasizes  the  importance  of  broadcast  messages,  i.e.,  even  with  the  knowledge 
of  enough  valid  shares  and  all  previous  shared  secrets,  broadcast  messages  up  to  now  are  needed  in 
deciphering  the  current  shared  secret.  In  fact,  the  proposed  term  (20)  is  a  sufficient  condition  for 
LEMMA  2  as  shown  in  the  following  lemma. 

Lemma  4  Condition  (20)  is  a  sufficient  condition  for  (21),  where  k  6  N  for  i  =  1, ...,  L. 

Proof: 

H(Ki\Sh..k,K0:i-i)  >  H(Ki\Si:n,  Ko:i~i,  Po-.i-i) 

=  H{Ki\S1:n ,  Po:i-l)  +  K0:i-l\S1:n,  Po:i-l) 

=  H(Ki\S1:n,P0:i-1)  +  H{K0:i_1\S1:n,P0:i-1)  -  H(K0:i-1\S1:n,P0:i-1,Ki) 
(='  H(Ki\S1:n,P0:i-1) 

=  H(Ki)-I(Ki-,S1:n,Po:i-i) 

=  H(Ki ) 

■ 

Equation  (a)  holds  because  of  (5),  and  Equation  (b)  holds  due  to  the  broadcast  enforcement  term 
(20).  Since  i4(ivj|S'q:;i,  A^i-i)  <  it  follows  that  (21)  holds. 

We  will  address  how  the  broadcast  enforcement  term  (20)  affects  the  previously  derived  lower 
bounds  on  the  broadcast  size.  Adding  (20)  to  the  definition  only  puts  additional  constraints  on 
requiring  broadcast  at  each  disenrollment,  and  hence  it  will  not  affect  the  lower  bounds  on  the 
share  size. 

4  Lower  Bounds  on  Broadcast  Entropy 

In  this  section,  we  will  establish  lower  bounds  on  the  entropy  of  broadcast  in  a  perfect  threshold 
scheme  with  disenrollment  satisfying  (5),  (7)  and  (20).  We  consider  two  cases,  (i)  no  constraints  on 
the  share  size;  (ii)  the  size  of  each  share  achieves  its  lower  bound  (11),  i.e.,  share  minimal  perfect 
threshold  schemes  with  disenrollment. 

8 


Theorem  3  Let  Si:n,  Pi-l,  Kq-.l  form  a  perfect  (t,n)  threshold  scheme  with  L-fold  disenrollment 
capability  satisfying  properties  (5),  (7)  and  (20),  and  H(Kj )  =  m  for  z  =  0,1, L,  then 

H(Pi )  >  H(Ki)  =  m  i  =  1, L.  (24) 


Proof: 

H(Pi\Si:n,  Pl-.i-l) 

H(Pi\S1:n ,  -  HiPilS^.n,  Pl-.i-l,Ki) 

I  (Pi',  Ki\Si:n,  Pl:i-l) 

H(Ki\S1;n,  Pi-.i-i)  -  H(Ki\S1:n,  Pi) 

H(Ki )  =  m. 

Inequality  (a)  comes  from  the  fact  that  conditioning  reduces  entropy.  Inequality  (b)  holds  due 
to  non-negativity  of  entropy.  Equations  (c),  (d)  and  (f)  follow  from  the  definition  of  mutual 
information.  The  second  term  of  (d)  is  zero  due  to  (5),  so  Equation  (e)  follows.  Equation  (g)  holds 
from  property  (20).  ■ 

Theorem  3  is  the  main  result  of  our  previous  paper  [10] .  It  shows  that  the  entropy  of  a  broadcast 
message  is  at  least  that  of  the  shared  secret  for  all  updates.  The  same  result  is  mentioned  in  [1]  for 
the  original  threshold  scheme  with  disenrollment  model,  but  without  rigorous  proof. 

Now  we  consider  share  minimal  perfect  threshold  schemes  with  L-fold  disenrollment,  i.e.,  the 
case  in  which  H(Sj )  =  (L  +  l)m  for  j  =  1, ..,  n.  It  will  be  proven  for  this  case, 

H(Pi)  >  min(z  +  1, n  —  i  —  t  +  l)m  i  =  l,...,L.  (25) 

if  all  previous  broadcast  messages  P/’s  sastify  their  lower  bounds  min(Z  +  1,  n  —  l  —  t  +  l)m  for 
l  =  1, ..,  i  —  1. 

In  order  to  establish  the  bound  (25),  we  first  prove  some  lemmas  as  follows. 

Lemma  5  In  a  (1 ,  n)  share  minimal  perfect  threshold  scheme  with  L-fold  disenrollment,  any  i  +  1 
subshares  ...,  5^  are  independent. 

Proof:  A  (1 ,  n)  perfect  threshold  scheme  with  disenrollment  satisfies  the  following  two  equa¬ 
tions  in  terms  of  subshares. 

H(Ki\S$,P1:f)  =  0  (26) 

H(K.l\S^.di,P1:l)  =  H{Ki)  =  m  (27) 

where  (26)  is  from  (8)  and  (27)  is  obtained  from  (7). 

Substituting  X  =  A"/,  Y  =  Sv},  Z  =  S^.d,  and  W  =  P\,i  into  Lemma  1,  we  have  from  (26), 
(27)  and  H(sf)  =  H(Kt )  that 

7(5«;5«,...,S»)  =  0.  (28) 


(а) 

H(Pi )  > 

(б) 
> 

(J 

(J 

(e) 

(1) 

(£) 
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We  now  prove  the  independence  between  subshares  by  contradiction. 

Assume  there  is  one  set  of  i  +  1  subshares  {5^,  ...,5^}  that  are  not  independent.  That  is, 

in  ...,  },  there  is  at  least  one  subshare  that  is  not  independent  of  the  rest  i  subshares. 

(i)  .  (i)  («) 

Without  loss  of  generality,  we  assume  that  is  dependent  on  S)2  , ...,  >S).  ^ 


nsiih, 


^ . s<l)>  0 


(29) 


However,  if  {l 2, ...,  ^+1}  =  {di, ..,  di},  these  subshares  fail  to  form  a  valid  (1,  n)  threshold  scheme 
with  L-fold  disenrollment  since  (29)  contradicts  with  (28). 

In  order  to  be  able  to  disenroll  any  i  participants  while  maintaining  the  threshold  at  stage  i , 
any  i  +  1  subshares  S^\  ...,  have  to  be  independent.  ■ 


Lemma  6  In  a  (l,n)  share  minimal  perfect  threshold  scheme  with  L-fold  disenrollment, 


H{Pi )  >  min(z  +  1,  n  —  i)m, 


(30) 


if  all  previous  broadcast  messages  meet  their  lower  bound  on  entropy,  i.e.,  H(PW )  =  min(u;+l,  n— w) 
for  w  =  0,  ...,i  —  1.  When  H(Pi )  achieves  its  minimum  at  (i  +  l,n  —  i)m,  then  I(Pi ;  S^)  =  0  for 
l  =  i  +  1, ...,  L  and  j  =  1, ...,  n,  i.e.,  P{  is  independent  of  subshares  used  to  reconstruct  future  shared 
secrets. 


Proof: 

We  will  first  show  H(Sv^.Vu\Ki,  P\-t)  =  0,  where  u  =  min(i  +  1,  n  —  i).  Let  SVl  denote  one  valid 
share  in  the  set  {S^, ...,  SVk}. 

>  I(S®-,Ki\P1:i) 

=  H(Ki\S$)  —  H(Ki\Sff ,  Pi-.i) 

=  H{Ki)  =  m 


Since  H(Svf\Pi-.i)  <  H(Svf)  =  m,  we  have  H(SVl\P\:i)  =  m.  From  (27),  we  obtain  H(Ki\P\:i)  = 
H(Kf)  =  m.  By  letting  X  =  AT*,  Y  =  S$  and  Z  =  P\-i  and  applying  Lemma  2,  we  obtain 
H(S$\Ki,Pl:i)  =  0. 

0  <  H(S§:vjKi,P1:i)  <j2H(SW\Ki,P1:f)  =  0  (31) 

1=1 

Therefore,  H(Sv^Vv  \Kt,  Pl:i)  =  0. 

Then  we  will  prove  the  lower  bound  of  H(Pi )  by  induction. 

At  stage  k  =  1,  there  are  n  —  1  valid  participants,  u  =  min(£i  +  1,  n  —  k)  =  min(2,  n  —  1) 


H(Pi)  >  J(P<;S«Jtfi) 

=  H(S$JK1)-H(s£}Vu\K1,P1) 

=  H(S^}Vu,  Ki)  —  H(Ki) 

=  H(S$VJ  +  -  H(K\) 

=  H(S^)Vu)  +  H(Ki)  -  H(Ki) 
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1=1 

=  um.  =  min(2,  n  —  1  )m 

Equation  (a)  holds  because  H(si\}Vu\Ki,  Pi)  =  0.  Without  Pi,  H(Ki\si\}Vu )  =  H(K\)  and  hence 
(b)  holds.  Equation  (c)  holds  due  to  the  independence  of  Syf’s  for  l  =  1, ...,  i  +  1  shown  in  Lemma  5. 

Now  we  show  if  //(Pi)  =  min(2,  n  —  1  )m,  then  I(P±;  Sj1'1)  =  0  for  l  =  2, L  and  j  =  1, n. 

H(Pi)  >  /(Pi;Sf,ATi,S£)j 

>  /(Pi;5f)  +  /(Pt;S^jAd,5f) 

=  /(Pi;  Sf )  +  //(Sgjtfi,  A®)  -  //(SgjATi,  Pi,  ) 

=  J(Pi;  S®)  +  iZ(S«Jsf )  +  P(Ad|sf )  -  H{K\) 

=  /(Pi;pf)  +  P(A«,J 
=  /(Pi;  5®)  +  min(2,  n  —  l)m 

Equation  (d)  holds  because  of  independence  of  subshares  of  one  participant  and  condition  (20). 

From  //(Pi)  >  /(Pi;  S'®)  +  min(2,n  —  l)m,  a  necessary  condition  for  iZ(Pi)  to  achieve  its  lower 
bound  is  /(Pi;  S®)  =  0  for  l  =  2, ...,  L. 

Assume  Lemma  6  is  true  for  stage  k  =  i  —  1,  i.e. ,  //(P,_i)  >  min(i,n  —  i  +  l)m  if  all  previous 
broadcast  messages  reach  their  lower  bound  on  entropy,  i.e.,  H(PW )  =  min  (to  +  l,n  —  w)  for 
w  =  0,  ...,i  —  2,  and  I  (Pi- 1;  S® )  =  0  for  l  =  i, ...,  A. 

When  k  =  i,  u  =  min(fe  +  1,  n  —  i)  =  min(i  +  1,  n  —  i) 

//(Pi)  >  I(Pi-,S®Vu\Ki}P1:i- 1) 

=  //(S®  JA?:,Pi:*_i)  -  //(S®J/^Pm) 

=  i/(S«^,  Xi|Pi:i_i)  -  //(A?;|Pi:i_i) 

=  /Z(S®  J^i-l)  +  H(Ki |5WWu,Pi;i_i)  -  //(//? |Pl:j-l) 

=  P(S«,;JPi:,_i)  +  P(A.8)-P(A.8) 

=  /Z(S®jPi:i_i) 

=  //(s®,J 

=  um  =  min(i  +  1,  n  —  i)m 

The  proof  of  I(Pf,  S®)  =  0  for  l  =  i+ 1, ...,  A  when  H(Pf)  achieves  its  minimum  at  (i+1,  n  —  i)m 
is  similar  to  the  base  case  (/  =  1)  and  thus  is  omitted.  ■ 

Now  we  can  establish  the  lower  bound  of  H (Pi)  for  a  share  minimal  perfect  threshold  scheme 
with  disenrollment. 

Theorem  4  Let  S\:n,  Pi-.l,  Ko-.l  form  a  share  minimal  perfect  ( t,n )  threshold  scheme  with  L-fold 
disenrollment  capability  satisfying  properties  (5),  (7),  (11)  and  (20),  then 

H(Pi)  >  min(i  +  1, n  —  i  —  t  +  l)m  i  =  l,...,A.  (32) 

if  all  previous  broadcast  messages  Pi ’s  for  l  =  1,  achieve  their  lower  bounds  as  min(Z  +  1  ,n  —  l  —  t  +  l)m.. 
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Proof: 

As  shown  in  [1],  if  {Si:n,  Pi:l,  Kq-.l}  form  a  (t,n)  share  minimal  perfect  threshold  scheme  with 
L-fold  disenrollment  capability,  then  {Sii:in_t+1  PixlSvr.vt-!,  Ko-.LlSvy.v^}  form  a  (1 ,  ra¬ 

id-  1)  share  minimal  perfect  threshold  scheme  with  L-fold  disenrollment  capability,  where  |  denote 
“conditioned  on”  and  {li,  ...,ln-t+ 1}  =  N\{v i,  For  the  (l,n  — f+1)  threshold  scheme  with 

disenrollment,  we  have  H (Pj\Svi:Vk)  >  min(i  +  l,n  —  i  +  1  —  i)m  from  Lemma  6,  if  all  previous 
broadcast  messages  meet  their  lower  bound  on  their  entropy. 

Since  H(Pt)  >  H(Pi\Svi:Vk),  then 

H(Pj)  >  min(z  +  1,  n  —  t  +  1  —  i)m. 


Therefore,  Theorem  4  holds.  ■ 

Comparing  Theorem  2  and  Theorem  4,  we  notice  that  when  adding  (20)  into  the  definition  to 
ensure  the  dealer  to  have  control  over  disenrollment,  the  lower  bound  on  broadcast  size  is  different 
from  (12)  as  expected. 

5  Conclusions  and  An  Open  Problem 

During  the  process  of  examining  the  conjecture  on  the  lower  bound  of  broadcast  entropy  [3],  we 
found  that  the  original  model  of  threshold  schemes  with  disenrollment  [3]  is  inadequate  to  ensure 
the  dealer  of  the  control  over  each  disenrollment.  We  presented  a  broadcast  enforced  model  which 
ensures  that  the  public  broadcast  from  the  dealer  is  required  for  disenrollment,  by  adding  an 
additional  term  to  the  original  definition.  We  showed  that  in  related  previous  work  to  establish 
a  lower  bound  on  broadcast  size  [1],  though  the  original  model  is  used,  the  validity  of  LEMMA 
2  does  require  the  broadcast  from  the  dealer.  In  the  new  model,  the  coalition  of  any  number  of 
participants  is  unable  to  reconstruct  the  shared  secret  iv*  before  the  ith  disenrollment  stage.  We 
also  derived  lower  bounds  on  the  entropy  of  broadcast  messages  in  such  a  model,  which  are  refined 
from  the  bound  obtained  in  [1]. 

There  is  an  open  problem  with  threshold  scheme  with  disenrollment.  Consider  the  following 
schemes. 

Scheme  1 


•  Participant  j  has  share  Sj  =  {S^,  ...,  Sj^},  where  S is  a  share  of  a  (t  +  i,  n) 

ideal  perfect  threshold  scheme  sharing  AT*  +  Ri  with  Ri  being  a  string  of  length  m 
chosen  by  the  dealer. 

•  At  update  i,  the  dealer  broadcasts  Pt  =  {Ri,  , ...,  } . 


This  scheme  satisfies  (5),  (7)  and  (20)  and  achieves  the  lower  bound  (32)  in  Theorem  4  if  L  <  L^xwj- 
But  if  t  +  L  participants  collude  in  advance,  then  they  can  construct  Kq  +  Rq,  +  Rl-  Under 

this  construction,  dealer  looses  the  ability  to  disenroll  a  participant  of  its  choice.  The  best  the 
dealer  can  do  is  to  delay  broadcast  and  hence  the  reconstruction  of  the  shared  secrets!  Therefore, 
there  are  schemes  that  satisfy  all  the  properties  including  the  broadcast  requirement  and  still  do 
not  allow  dealer  to  have  no  control  over  the  disenrollment  process.  At  first  it  might  appear  as  the 
problem  with  the  setup  of  the  original  model  in  [3]. 
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We  now  present  a  model  attributed  to  Brickell  and  Stinson  in  [3]  and  show  that  it  is  possible 
to  construct  schemes  that  allow  dealer  to  have  full  control  over  the  disenrollment  with  (5),  (7)  and 
(20). 

Scheme  2  Brickell- Stinson’s  Scheme  [3] 


•  The  share  held  by  participant  j  is  Sj  =  {Sj°\  R^\  ■■■,  R^}  where  denotes  en¬ 
cryption/decryption  key  of  m  bits  for  participant  j  at  disenrollment  stage  i. 


•  At  stage  i,  the  dealer  updates  only  valid  participants  with  new  shares,  so  Pi 
dW  cb)  I  i 

JXvi  ,  Jvn-i  T 


{S$  + 


This  scheme  prevents  a  coalition  of  any  number  of  participants  from  obtaining  any  shared  secrets 
as  long  as  the  dealer  does  not  update  those  colluded  participants  with  new  shares. 

From  the  above  observation,  we  note  that  the  predistribution  of  multiple  shares  can  lead  to 
unwanted  key  exposure.  Finding  alternate  models  that  allow  more  control  to  the  dealer  remains 
an  open  problem.  1 


Appendix 

In  the  appendix,  we  present  a  correct  proof  to  LEMMA  5  in  [3] . 

LEMMA  5  in  [3]  Let  Si:n,  P\:l,  Kq-.l  be  a  perfect  ( t,n )  threshold  scheme  with  L-fold  disen¬ 
rollment  capability, 

I{Ki;  SVi:Vk,  Sdi:di,  P1:i,  K0,i)  =  0  for  k  <t  —  1.  (33) 

In  the  original  proof  of  LEMMA  5  in  [3],  they  made  use  of  (5),  which  holds  for  only  k  >  t. 
Proof: 

Let  us  consider  k  =  t  —  1  first.  At  stage  w  =  0, ...,  i  —  1,  t  —  1  valid  shares  plus  which  was 
also  valid  at  stage  w  suffice  to  recover  I\w ,  i.e., 

i7(Aw|S,„i:„t_1,S'di:di,Pi:j)  =  0  for  w  =  0,  ...,i  -  1,  (34) 

which  is  a  necessary  condition  for  (7). 


I(Kt  -  SV1  :vt~i  i  Sdxidu  Pl.ii  Pfr.i-l) 


i—  1 


—  I (P-i'i  Svi:vt_i  5  ^di:di  i  Pl:i)  H-  ^  ^  I (P-i'i  P-w\  $vi:vt—i  i  ^d\\di  i  Pl.ii  Po:w—l) 


w= 0 


=  HiK^-HiKilS^^Sd^Piii) 


i—  1 


+  YJ[H{Kw\Svl  :vt-i  >  S' dv.di  i  Pl'.ii  Ko:w—  i)  -  H(KW\SV1  :vt- 1  ?  Pdy.di  i  Pl.ii  Pq:w—1i  Pi)] 


w= 0 


(=>  0. 


Equation  (a)  holds  because  of  (7)  and  (34). 

1  We  are  currently  working  on  this  open  problem  and  progress  will  be  reported  in  a  journal  paper. 
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For  k  <  t  —  1 


0  '  I(Kp,  Svi:Vk ,  ,  P\-.ii  Kq-i—  i)  ft  I(Ki  J  Svi:vt  l ,  ,  P\.ii  Ko.i—  l)  —  0 

Therefore,  LEMMA  5  holds  for  k  <  t  —  1. 
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